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ABSTMGT 


Reactor slaubdoirn system is tiie most critical component 
amongst engineered safety featnres of a nuclear reactor. Its 
reliability estimation is rendered difficult because of the 
lack of failure data and the complexity of the system. Fault 
tree analysis is an adequate teclmique for the unavailability 
estimation of such systeras. .Fault Trees express the system 
failure as boolean function of the failure of basic components 
of the system. Failure data is usually available for basic 
components and can be used for .joint and confidence interval 
estimate of system of unavailability. To propogate the 
uncerta j.nity in basic component failure data Monte-Carlo 
simulation can also bo used, 

CAHDU shutdown system comprises of Electro-mechanical 
shutdown rods and liquid poison injection ee-ch of which 
includes sensors, instrument dianjiols, mechanical and fluidic 
subsystems. Published work so far havo analysed sensors 
and instrument channels, for P’.JR' s (i.e. only electro- 
mechanical shutdown rods), and have reported a value of 
“^10 for the unavailability of the reactor protection 
system. The basic component failure rate is assumed to be 
constant and to have a lognormal distribution. 



Present work analyses the entire CANDU shutdown 
system, TIathematical models are developed to analyse time 
constrained behaviour of the shutdown system. The affect of 
aging of basic components is also onalj^-sed. Instead of 
using lognormal distribution for 'cho failure rate of all 
basic components 5 Weibull distribution is used because the 

later has lower standard deviation. Prom the analysis in 

1 1 ~4 

prosenx work an unavailability of o./ lO is obtained. It 

has been concluded tha. b time constraint on system operation 

and the aging of components ovTr a period of a year does 

not significantly affect tho S3^stem unavailability. 
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IlITRODUCTIOB 


Alth-ough Nuclear Power Plants have demonstrated defini 
advantages over conventional power plants in environmental, 
ecological and economics aspects, their existence and efforts 
to pursue expansion are challenged, rightly, on the grounds 
of serious potential hazards posed hy their presence in an 
eventual accident. Therefore, safe operation of reactor is 
of utmost concern to the design engineers, operations people 
and the public at large. 

1.1 CONCEPT OP RISK; 

A reactor is said to operate safely if under all 
conceivable and realistic accidents the risk to the society 
is acceptable. While making the preceding statement we are 
immediately confronted by two problems, first, what is the 
acceptable risk limit to the society and second how can we 
quantify this risk? No definite solution can be given for 
the first problem because the parameter involved, risk, as 
conceived by the society depends upon several factors such 
as time, nature of society, external circumstances of the 
society, the degree of technological progress and affluence 
etc., therefore the best one can do is to compare the risks 
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posed by a, new technology with the risk posed hj an already 
accepted technology. Eisk as defined by dictionary means, 
'possibility of loss or inju 2 ?y to a person and property' . 

To restrict the vagueness of the term in reactor safety 
study' risk' encompasses potential fatalities and injuries 
to people and property . In order to quantify societal 
risks from accidents following definition is used [ 1 ]. 




^ Consequences 
Magnitude | 

Another definition usually encountered and preferable when 
dealing with low frequency events is [ 2 , 3 ] » 


RISK 


^Probability of occurance ^ 5 Consequence 


^of event 


/per event 


u- 


It is easy to observe that both the definitions express the 
same information on different scale. 


Eisk determination, therefore, requires estimation 
of the two terns viz., consequence per event and the proba- 
bility of the event. An accident leads to multifacet 
consequences and representing all of them in a common \mit 
is not always possible. The consequences usually include 
fatalities and injuries to people and damage to property. In 
some studies consequence of occupational fatalities and non- 
fatal injuries are expressed as lost man-hours whereas in 
other studies consequences are converted into vicmefa^ jxriQfti^ 
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however, such an approach suffers the disadvantage of lacking an 
universally acceptable criteiion for conversion of conse- 
quences into equivalent man-hours or monetary value. In order 
to circumvent such difficulties inseparable from the 
concept of a common unit, reactor safety studies [ i] give up 
such an attempt and have selected four t’^’-pes of consequences. 
These arcs 

a. Early fatalities, 

b. Early illness, 

c. Late health effects attributable to the accident, 

d. Property damage. 

Estimation of the probability^ of occurrence of an 
accident (an event) should incorporate interaction of accident 
prevention systems, systems safeguards and accident generating 
events. The most convenient approach would be to collect 
reactor Occident data and using standard parametric estima- 
tion and statistical inference techniques to draw conclusions 
regarding a location parameter (mean, median or mode) and 
variance or confidence limits, Eor inferences drawn to be 
meaningful data should be adequate to permit conventional 
statistical analysis. Unfortunately, advanced engineering 
systems due to inherent high reliability, seriously lack 
accident data thereby defying conventional analysis. Moreover, 
because of the huge investment involved it is desirable to 
have an estimate of the probability of an accident before 
deciding over the final design, and this being the case 
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where no data is available on the system performance. Thereto re s 
in either case, quantitative risk assessment requires use of 
analytical methods. Event trees and fault trees are such 
analytical methods. 

1.2 EISK ASSESSMENT METHODOLOGY: 

A Nuclear Power Plant is a technologically advanced 
and complex system. The operating experience to the date and 
acturial accident data available is highly deficient due to 
high reliability of the system. It is therefore not surprising 
that Event Tree and Eault Tree Methodology have become a very 
popular technique of risk assessment. Any accident in NPP 
system that can potentially lead to radioactivity release 
is included in overall risk assessment. The methodology 
employed, therefore, should bo able to identify in principle 
the accidents that can lead to significant releases and 
determine their probability. Because of the potential 
hazard of such accidents many safety features are engineered 
into the system to check the propagation of accident and 
limit the consequences. Therefore, radioactivity release is 
preceded by an accident sequence involving the initiating 
event and unreliable operation of some of the engineered 
safety features (ESP). Obviously, for a given initiating 
event there may be more than one accident sequences that can 
lead to radioactivity release. Two different problems to be 
resolved at this stage are, first, how to identify an 
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initiating event that xrill lead to significant releases and 
second given an initiating event how does one identify all 
accident sequences. The logic for selecting an initiating 
event has been dealt with in ref. [4 ]. To identify the 
accident sequences Event Trees are used. 

1.2.1 EVENT TEBES^ 

An event tree is a logic method for identifying the 
various possible outcomes of a given event called initiating 
event [1 ]. In reactor safety analysis initiating event is 
a system failure. The total number of outcomes depend upon 
number of options available or engineered safety features 
built in to mitigate the consequence of the accident. For 
example, Pig. 1.1, depicts an event tree for reactor coolant 
pipe break. Subsequent to the initiating event 'pipe break' 
depending upon the performance of the options in headings 
B, 0, D and E several accident sequences are obtained. In 
particular if there are N headings or options including the 
initiating event the number of resulting accident sequences 
will be 2^-1. Usually N may bo as large as 10 and it can be 
easily appreciated what a momentous task it would be to 
comprehend and analyse all of them. Fortunately, all accident 
sequences are not important and many of them can be dropped 
because they are [1 ], 
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a. meaningless 

b. illogical 
c« redundant 

d. a preceding option whose failure will definitely 
complete the accident sequence no matter how the 
following options behave^ has failed. 

The last point (d) calls in the study of functional 
interrelationships such as [ 4 ] 5 

a) Time dependent performance requirements for the physical 
systems needed to perform the various ESP (options) functions, 

b) Failure of one function eliminates need for another. 

c) Failure of one function leads to such physical processes 
that cause other functions to fail. 

d) Effect of accident characteristics (as pipe break size) 
and location on the event tree and on the operability require- 
ments for the systems providing ECO. 

Based on such considerations an event tree can be 
reduced to convenient size as shown in Fig. (l.l). 

1 . 2.2 FAULT TEEES; 

Event trees define failure of various options or ESF 
and risk assessment requires probability of failure of these 
systems. This task is performed by Fault Trees. Fault Tree 
analysis was introduced by Bell Telephone laboratories in 
1961 for performing safety evaluations of launch control 
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sj^stems for Minuteman Program [5 ]. At 1965 Safety Symposium, 
sponsored by the University of Uashington and the Boeing Co. , 
several papers were presented that expounded the virtues of 
fault tree analysis [3 ]. The presentation of these papers 
marked the beginning of a widespread interest in the possi- 
bility of using fault tree analysis as a reliability estimation 
tool in the nuclear reactor industry. In the early 1970' s 
great strides were made in the solution of fault trees to 
obtain complete reliability inf orma.tion about relatively 
complex systems [ 6 , 7 j 8 ]. The year 1975 witnessed the 
publication of the monumental task, 'Reactor Safety Study - 
An Assessment of Accident Risks in U.S. Commercial Nuclear 
Power Plants - WISH 1400', in which event tree and fault 
tree methodology has been applied for risk assessment of 
an entire NPP system. Since the publication of this work 
Fault Tree Methodology has gained extreme popularity and 
it is now very usual to come accross research papers on 
various aspects of Fault Trees in reputed journals on 
Reliability. More recently significantly growing interest was 
witnessed at 'The Sjmiposium of Nuclear Systems Reliability 
Engineering and Risk Assessment' [9 ]. 

Fault Tree method reconstructs the undesired fault 
from the failure of basic components of the system through 
binary logic. In principle Fault Tree construction is 
relatively a simple exercise. Essential steps involved in 
Fault Treo construction are; 
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{X}' A thoroujb. understp-'idi n._ ol tlia system to be analysed 
is a prerequisite. ParJ, u trues assist in organising the 
knowled'jO of system but do not ■.’uplaoe it. 

(ii) Definition of TOP event. TOP event is the one 
whose proba'bilit3’' of occurance is desired. The definition 
has to he precise and in terras of system hardware. 

(iii) IToxv* wo look for events t’‘'.€it can cause TOP event either 
together, or individually, or in some mixed mode. Their 
relation to TOP event is defined hy boolean operators AHD 
and OR and is conveniontly represented by logic gates AND 
and OR. 

(iv) These everts are now individually treated as TOP events 
and step (iii) is repeated till wo do not roach the events 
defining failures of such components whose data is available. 

(v) fault Trees for componoivos wdiich can fail in more than 
one modo arc separately consbructod and substituted at 
appropriate position in the systems fault tree. 

(vi) Sditing of the fault tree so constructed is done to 
avoid omissions, logical discrepancies and repetitions. 

For a dimple system i'ault Tree construction can be 
done manually, however, while t..ickling complex systems there 
are many pitfalls. The worst pi If alls that confront one 
unsJcillcd in performing Fault Tree analvois arc ovor-sight and 
omissions. Significant omissions sometimes occur if the 
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analyst jumps two or more logical levels in his development 
of a deductive chain of factors and causes. For example, he 
may skip from initiation of a command to its acceptance, and 
neglect transmission. This tendency is minimized if one 
follows the rule of listing very direct immediate causes 
of any factor considered, heforc going on to consider the 
next lower level of causes [10], Another problem with 
manual construction is that it is time consuming. The manual 
construction of all the fault trees reported in WASH-1400 
would have taken for a skilled person 25 man-years of conti- 
nuous work [ll]. Because of tJieso constructional difficulties 
automated fault tree construction methods have been developed. 

The next step in fault tree analysis is the quantifi- 
cation of fault tree. Since the TOP event is related to 
basic component failure through binaiy logic, bolooa,n algebra 
can be used to relate them, conversion of which to a probabi- 
lity expression is a simple stop. Knowing unavailability of 
basic components to obtain point estimate of TOP event 
occurrence probability is a simple matter. The real problem 
comes in propagating the statistical error in basic compo- 
nent failure-data so as to obtain confidence limits on the 
TOP event estimate. When fault tree is extremely simple one 
can attempt to compute variance of top event using standard 
expressions and then find confidence limits using Tchebycheff 
inequality [12], In another approach used by WASH~1400, 
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Monte-Carlo simulation is used to propagate error ranges. 

¥hen dealing with practical Fault Trees, in either case, 
one has to resort to digital computers. 

Figure 1.2 [13] is a schematic presentation of the 
noteworthy codes produced in past 10 years for Fault Tree 
Analysis. Croup 1 are the fault tree construction codes, 
while groups 2, 3 and 4 are the ana,lysis codes. The analysis 
codes can bo divided into two general types s those which 
directly produces numerical results shown in group 4, and 
two step codes which first qualitatively (group 2), and then 
quantitatively (group 3) analyze the logic system. 

The Fault Tree Construction code DRAFT [lO] is based on 
synthetic Tree Model. Synthetic Tree Model is a synthesis 
method for constructing fault trees from small segments 
called component failure transfer functions. The component 
failure transfer functions are obtained from a system- 
independent analysis of every component appearing in the 
system for which the fault tree is to be constructed. Although 
DRAFT was written for certain electrical systems the technique 
is general enough to be used with nuclear industry. 

Taylor's method [l4] uses algebraic models for 
components with qualifiers to indicate which equations 
describe the operation or failure of the component. These 
qualified equations arc then written for each component and 
the resulting collection forms the system model. This model 
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can then he applied to determine the consequences of any 
deviation in the input variables. 

Tompkins and Powers [15 ] have suggested a method 
using input-output models for equipment. These models 
convoy information regarding variable relationships when 
the components are working as well as the effects of compo- 
nents failures. Construction of the fault-tree begins with 
the identification of important deviations and it is through 
this search that the fault tree is built. 

More recently Salem 5 Apostolakis and Okrent [ 3 ] have 
developed a computer-aided technique. The component behaviour 
is modelled using decision tables and the information thus 
obtained is used in fault tree construction. 

Most, of the Fault Tree quantification codes in groups 2 
and 3 use Vescly's Kinetic Tree Theory [7 ] a methodology for 
obtaining time -dependent probabilistic results. The code PEEP 
finds minimal cutsets of the system and these arc required 
by the companion code KITT which computes the failure proba- 
bilities associated with the fault tree of the system. The 
code WAM/BAM like code SAMPLE of UASH-I4OO probabilistically 
evaluates systems modelled with Boolean algebra. In another 
approach, Fuss ell and Vesely [15] use a matrix to organize 
increment results determined from a top-down (output-to- 
input) analysis of the logic. However, this essentially- 
searching routine does not use the matrices in tho usual 
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matrix-mathomatical sense. Semanderes [16] developed a 
PORTMK computer program using Boolean algebra to calculate 
probabilities efficiently from logic expressions. He uses 
the unique factorization theorem of number theory (in which 
the product of prime numbers assigned to each of the input 
events retains the identification of these inputs) to keep 
track of product enteries. Schneeweiss [17] has recently 
presented a method to calculate probability from Boolean 
functions by algebraic techniques. Infact, methods based on 
Boolean expression minimization techniques such as algebraic, 
bit manipulation and ICarnaugh graph have been proposed by 
various authors. Most recently Chamox^r [18] has proposed a 
technique based on graph theory. 

Fault Tree Analysis is an all inclusive, versatile 
mathematical tool for analysing complex systems. Some of the 
advantages of the Fault tree analysis are [10] j 

(1) Directing the analyst to ferret out failures in a 
deductive way. 

(2) Pointing out the aspects of the system important in 
respect to the failure of interest. 

(3) 'Providing a graphical aid giving system management 
visibility to those removed from the system design changes. 

(4) Providing options for qualitative or qxiantitative 
system reliability analysis. 

(5) Allowing the analyst to concentrate on one particular 
system at a time. 
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(6) Providing the analyst with genuine insight into system 
behavior. 

Fault tree models do have drawbacks. Most serious 
drawback is its inability to model failures that cannot bo 
decomposed through binary logic^o.g., it cannot analyse 
the system's dynamics failure, such event are to bo treated as 
primary event. Other disadvantage^ as has been discussed 
before include high cost, time consuming and possibility of 
existence of more than one fault trees if constructed 
manually . 

Fig. (1.5) lists symbols and their definitions used 
in fault tree construction. 

1.3 GEFEmi DATA TREATMENT; 

The quantification of fault tree can involve one of the 
two typos of calculations; a point calculation, or a random 
variable evaluation. The point and random variable types 
of evaluation differ with regard to the goals and approaches 
which in turn depend upon the type of input data available. 
When the general goal is to derive a best estimate of a 
system parameter of interest, usually the system unavaila- 
bility or failure probability the POINT VALUE calculation is 
used. Obviously, the input data available should be highly 
accurate to produce meaningful estimates. In practice 
extensive failure rate data to execute exact point estimation 
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is not available and feedback from field experience coupled 
with engineering judgement is used to determine applicability 
of data. 

A raore practical approach is to use the random variable 
technique. Because failure rate data is collected from 
several sources a range of values for failure rate is obtained 
which allows the data parameter to bo treated as random 
variable to describe the probability associated with various 
possible values . This is the approach used in WASH-1400 [ 5 ] 
where to express uncertrainity in failure rate data a lognormal 
distribution was fitted and the median as well as 5 and 95 
percentile point values are tabulated. The lognormal distri- 
bution was chosen because of large variability in data, its 
flexibility, its consistency with reliability and data 
properties and because it is a standardly employed and 
straightforward distribution [5 ]. 

The large variability in the failure data of basic 
components is a serious drawback. Because this is a common 
problem in reliability estimation an attempt to include 
subjective information through the application of Bayes 
Equation has become a very popular technique, Bayesian 
reliability estimation methods have been applied to Hucloar 
industry systems [19,20]. Although Bayesian Method is a consis- 
tent way of incorporating subjective information, the 



15 


mathematical complexity in using it with a general distribution 
and results so far reported do not show that in practice it 
is superior to methods described before. 

1.4 REACTOR SHUT-DOWN SYSTEM RELIABILITY ESTIMATION; 

Reactor shut down system is the major reactor protec- 
tion system and therefore its reliable operation is of utmost 
interest to reactor safety. ¥ASH-1400 has restricted the 
analysis to instrumentation channels i.e. sensors, logic 
circuits and shut-down mechanism triggering circuits, omitting 
the mechanical and fluidis mechanisms for no obvious reason. 
Recently, Ullrich and Erich [2l] have reported that for PWR's 
the main contribution to unavailability is from mechanical 
system and common mode failure. Table 5.1 tabulates the 
results obtained by WASH-1400 and Ullrich et al.[2l]. 

1.5 PRESENT WORN; 

Present work undertakes reliability estimation of 
reactor shut down system for a CANDU reactor, the type being 
proposed for NAPP. The shutdown system comprises of a princi- 
pal shutdown mechanism, tho Electro Mechanical Shut-down 
Rod and a back-up protection by Liinid Poison Rod mechanism. 

Tho successful operation of this system is time constrained, 
hence the present work includes into tho analysis ■ the 
system unavailability due to chance failures, testing and 
maintenance,' reliable operation subject to time constraints 
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and deterioration in system performance due to aging, an 
aspect neglected in all previous works. The failure rate 
data is taken from [22] and [ 23 ] and treatment adopted in 
WASH-1400 [ 5 ] is followed. Distributions other than 
lognormal have been tried and the one having lowest variance 
is used. To propogatc the error- range code SAMPLE [ 5 ] 
has been used with modification to include Weibull distri- 
bution along with already existing distributions. 

The present work is presented in four chapters and 
three appendices. Chapter 2 contains description of the 
mechanism and operation of CAiTDU shutdown system, the unavai- 
lability expression for TOP event and the fault tree construc- 
tion, Chapter 3 contains the computation of point estimate, 
confidence interval estimate of the TOP event unavailability 
and also the results of Monto-Carlo simulation for the time 
to trip for EMSH and IPR and for TOP event unavailability, 
assuming constant failure rate for basic components. In 
Chapter 4, effect of aging on component failure rate is 
considered and system unavailability is computed. Chapter 5 
contains conclusions and an outline for the further work. 
Appendices A and B contain description of mathematical model 
of time to trip for EMSE. and IPE. respectively. Appendix C deals 
with data treatment procedure, basic probability expressions, 
treatment of testing and maintenance procedures and common 
mo^e failures. 
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(QUILITATI'VE) (QUAMITATIVU) 


TTPICAL PROG-EAMSi 


1) PAUIT TREE CONSTRUCT HAT PROGRAMS 

DRAFT (PUSSELL, 1973) 
POUERS, TOI'IPKIHS (1974) 

CAT (1976) 


2) MCS CODES s FIND MINFIAL CUT SETS 
PEEP (VESELY, 1970) 

ElEAFT ( SEMANDERES ,1971) 


3) NUMERICAL EVALUATION CODES 

EITTl, KITT2 (VESELEY, 1970) 


TEEEL 


MOCUS (FUSS ELL, VESELEY, 1972) 
MICSUP (PANDC, BT AL. 1975) 


4) DIRECT EVALUATION CODES 

SAMPLE (NUC. REG. COMI. , WASH-1400, 1975) 
WAM/BAM (RUr-lBLE, ET AL. , 1975). 


PIG. 1.2; CompiitGr Codes for Fault Tree Analysis. 
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CHAPTER 2 


EAULT TREE CORSTRUCTIOR 

The reactor shut down system for CARDU reactor 
consists of a principle shutdown mechanism, the Electrc- 
Mechanical shutdown Rod (ETISR) and a backup protection, the 
Liquid Poison Rod Shutdown (LPR). After an abnormality 
worthy of reactor shut-down is detected by monitoring 
instruments, the shutdown rod is expected to insert completely 
in the core in 2 seconds including time required to communi- 
cate failure through instrument channels. In case the 
shut-down rod fails to insert completely in 2 seconds it 
is considered to have failed and LPR is triggered. LPR is 
supposed to be filled in about 6 seconds (assumed for this 
■ studyj could be anywhere from 2 seconds or hi^er) 
after being triggered failing which the Reactor Shut down 
System is considered to have failed. 

2.1 ELECTRO MECHANICAL SHCTDOWN ROD SYSTEM: 

To increase the reliability it is a standard practice 
to introduce redundancy into the system. Fig. 2,1 shows the 
simplified diagram of a EMSR and retains all the essential 
features of the original system [24? 25]. Because of reactor 
physics consideration 12 such rods are required to introduce 
sufficient poison into the core in order to stop fission 
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chain reaction. Strictly speaking ^it can he shown that even 
lesser numher of rods will suffice pl], however, to increase 
the reliability 14 EMSR's are provided in the reactor. These 
14 rods are triggered in pairs by 7 scram signal circuits. 

The operation of a single EMSR is as follows. On 
receiving scram signal the rotating magnetic clutch MOP 
under the force of release springs SR is disengaged. Under 
the weight of shutdown rod the cable on the drum unwinds 
freely and is guided by pulleys PI and P2 and the guide tube. 
The fall of rod is impeded by the friction between gears, 
between shafts and bearings and viscous drag due to the 
moderator. To overcome the effect of these impeding factors 
acceleration spring SPR 1 is provided. Under normal condi- 
tion the rod is pulled against the SPR 1 so that on release 
very high initial velocity is achieved. At the end of 
journey the rod comes to rest on a support SP and to absorb 
vibrations a damping spring SPR2 is provided. 

2.1.1 EAULT TREE FOR EMSR; 

The EMSR system is said to operate successfully if 
12 out of 14 rods reach the end support SP in guide tube 
within 2 seconds and rest on it. Because rods are triggered 
in pair by 7 scram signal circuits, failure of 2 or more 
instrument channel out of the 7 oi' failure of 3 out of 14 rods 
*to insert completely in the core without damaging the support 
is considered as. EMSR system failure. Therefore, 
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Failure of BMSR System 


Failure of two or more of the 
instrument channels 


OR 


Failure in safe insertion 
of 5 or more out of 14 rods 

Henc Os using s t and ard comhinat orial algebra results, 


Pr (Failure of EMSR System) 


= 2-[ + Yajod-qj-t,)® 

+ 14 (3.1) 

where qjQ ; Probability of failure of single instrument 
channel 

; Probability of failure of a single EMSR 

As has been mentioned in Chapter l,the determination 
of qjQ has been a favourite of most of the workers in this 
field and an attempt to determine q^^ as defined here has 
not yet been undertaken. In the present study determination 
of qjQ is not repeated and its value is taken from WASH-1400. 
To find q|^ fault tree analysis is undertaken for a single 
EMSR. 

TOP event for the fault tree of EMSR is defined, as; 

'Failure of EMSR to fal3, to the bottom 
i n 2 seco nds e,nd rest on the end support, SP'. 
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Following the fault-tree construction method suggested 
in Chapter 1, fault-tree for this case can be easily drawn 
and is shown in Pig. 3»1* all basic events of fault-tree 

except EPP-2 (Rod fails to fall in 2 seconds) failure data 
is available in the literature [5 , 23]. The data treatment 
is dealt with in Appendix C and the form in which they are 
used is tabulated there. Event EPP-2 lacks data and because 
of complex dynamic interrelationship between components 
further decomposition through binary logic is not possible. 

To resolve the problem of lack of data a mathematical model 
of EMSR has been developed, details of which a re given in 
Appendix A. In brief, this model undertakes a realistic 
analysis of EMSR to produce time rec[uired to travel a 
specified distance under gravity and against the moment 
of inertia of rotating components, friction in bearings 
and between moving parts, buoancy due to moderator (D 2 O) 
and viscous drag. The time dependent acceleration of rod 



1'/ ; weight of rod 

w ; weight of rope per unit length 

1q ; length of unxiroxmd rope at t = 0 

l(t); length of rope unwound in time t 
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] buo alley at time t =0 

B(t); buoancy plus viscous drag at time t minus B^ 

I ; moment of inertia of a rotating component 

V ; velocity of rope 

G° I angular velocity of rotating component 

g ; acceleration due to gravity 

F(t); sum of frictional forces between various 
components. 

Equation (2,2) is a nonlinear, nonhomogene ous equation where 
nothing is known about a(t), vCt), l(t) except initial 
conditions and that they satisfy equation (2.2). This equation 
is solved by 'marching process', 

2.2 LIQUID POISON ROD SHUTDOWN SYSTEM; 

Liquid poison rod shutoff system provides backup 
protection to the reactor shutdown. Eig. 2,2 shows flow-sheet 
of a LPR shut-off system. There are 14 such systems, 2 being 
redundant. The liquid shutoff rods are in the shape of U- 
tubes. One leg of this tube penetrates through the calandria 
and the other is outside the calandria. The main equipment 
in the system are pumps, helium compressors, storage tanks 
and valves. Bach U-tube, connected between a gas header tank 
and a liquid poison header tank constitutes one liquid 
poison shut-off rod mechanism [25]. 

The liquid poison is held out of the core by means of 
a controlled differential pressure between gas and liquid 
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poison headers. ¥hen a scram signal is received the solenoid 
valve interconnecting liquid header tank (IHT) and G-as Header 
Tank (G-HT) is deenergised resulting in equilisation of 
pressure in two tanks and as a result liquid poison is made 
to rise in the poison tubes. A shorter poison insertion time 
can be acliieved by deenergizing another solenoid valve which 
is on the pipe line connecting LHT to Boaster cylinder. 

2.2.1 MULT TREE CONST RUG TIOUs 

The LPR shutoff system is said to operate successfully 
if 12 out of 14 rods are filled with liquid poison in about 
6 second on failure of EMSR system. Therefore , 

Failure of LPR System = (Failure to sense failure of EMSR system) 

OR 

I Failure to fill 12 out of 14 rods with\ 
I liquid poison in about 6 seconds j 


Hence, 


Pr (Failure of LPR system ) 


(13 out of 14 rods Fall to 
Jbottom in 2 seconds but one 
= Pr "^or more breaks through 
i the support 
u 

(_ Failure to fill 12 out of 
+ Pr^l4 rods with liquid poison 
(in about 6 seconds 


- [1-I4qj^p2 ^^“^PRE'2^ 


13- 


. (2.3) 


.13 , 14 , 


, 12 - 



26 


where q.gpjj'2 ° Prohaloility of failure to rod to fall in 

2 seconds 

qgg : Probability that support does not break 

^IP ° Probability of failure to fill a IPR in 
about 6 seconds 

The probabilities ^SB obtained from 

the analysis of EMSR system. To find fault tree analysis 

is undertaken for a single IPR system. 

TOP event for the fault-tree is defined as; 

’Pailure of liquid Poison to fill the liquid 

rod in about 6 seconds. ' 

Pault Tree is shown in Pig. 3.2. For all basic events 
except event 1 failure data is available o-nd the data treat- 
ment is given in Appendix C. Event 1 is of the same kind as 
RPP2 in previous article. Here too to resolve the problem of 
lack of data a mathematical model has been developed, details 
of which are given in Appendix B. In brief, this model 
computes the time required to fill a LPR. The He-gas flow 
circuit and the liquid flow circuits are considered as 
coupled circuits with unsteady flow. Por liquid flow circuit 
neglecting theimodynamic changes in liquid properties, 
equation governing acceleration of rise of liquid in liquid 
rod is given by, 

Ci(t) II + C2(t) V^~C^(t) = P3_(t) - P^Ct) (2./1 ) 
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where V(t); velocity of liquid level in LPR 
He-pressure in IHT 
P 2 (t); He-pressure in GHT 

C 2 _(t )5 C^(t) are functions of liquid level at 

different sections along the liquid flox^r circuit. 

The unsteady gas flow is considered to be steady state 
over a small time interval. A constant cross-sectional area 
pipe thiough which gas flow is adiabatic is being considered. 
The end pressures and Mach numbers are related by, 




r 




1 + 


E-1 

2 


1 + 


K-l 

2 



(2.5) 


where gas flow is from end 1 to 2j P^, P 2 and are known 
and thereby M 2 can be calculated. Knowing M 2 the rate of 
inflow of gas (by mass balance), pressure and temperature 
changes can be computed, where suffix 1 and 2 denote 
conditions in tanks 1 and 2, flow is from tank 1 to 2, M is 
Mach number, P is pressure and Z is the ratio of specific 
heats for the gas. 




















CHAPTER 3 


FAULT TREE QUAUTIPICA.TIOH 


Appendix C discusses the computation of primary event 
prohahilifcy or basic component unavaila'bilit3?' over a given 
time from known chance failure rate. Considerations of repair 
and preventive maintenance are also discussed and used where 
applicable . 


Given a fault tree the top event T can be expressed 
as boolean function of primarjr events such as 


T 


X ( E2_ > 2 J E.^ ; 


( 8 . 1 ) 


Tor fault trees this can be written as 
T = + H2 + + ... + I'V 


(3.2) 


The events ai’e secondary events consisting of intersections 


of primary events. 


m 


% = n Oi 

^ 1C=1 ^k 


(3.3) 


where no M- is a subset of another M.. With the expression 

X J 

in this form the are termed the critical paths or minimal 
cut sets of the fault tree. 

The probability of T for small probability events can 
be written as, 

i=l 


(3.4) 
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and if prima.ry events are independent then, 

m 

= 2 P(C. ) (3.5) 

In case, common mode failures exist, tho-y a^’e included and 
quantified as lias been explained in Appendix c. 

Given P(C. ) and the associated error factor the TOP 
event unavailability and error spread can be computed by one 
of the following methods: 

a. When fo.ult tree is simple stc/tistical distribution 
algebra can be used to compute the location parameter and the 
variance of TOP event unavailability. Confidence limits can 
be derived by using Tchebeshev's inequality or by assuming a 
distribution for TOP event, 

b. When fault Tree is complicated it is convenient to use 
Monte~Carlo simulation of Pault Tree. Monte-Carlo simulation 
is expected to produce lower variance. 

On reviewing the data available it can be seen that the 
standard deviation and location parameter are of the same order 
In samples having such a high va.rianco it is meaningless to 
talk of location parameter estimate with any consistency. 
Therefore, the relative superiority of the two methods does 
not depend so much upon their producing approximately equal 
location parameter estima-te but upon producing lower variance 
in final result. In this chapter the results on the 
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probability of TOP event as computed by the two methods will 
be presented, 

3.1 POINT AND INTERVAL ESTIMATION POR TOP EVENT: 

Given a fault tree we can, in principle, alx.’-ays comx)ute 

p 

mean and variance (o' ) of the TOP event using standard 

results. This is more easily done when the fault trees are 
simple . 

To compute 5 % and 95 ‘‘/o coniTidence bounds s we use 
Tchebycheff inequality [12] given as 

P [ 1 - ^ (3.6) 

The Tchebycheff inequality can be improved and written 

as [12], 

Pr [T <^d] ^—2 <3 (3.7) 

) 

c^T^ 

and Pr [T <d] > 1 - — p v , d ^ LU (3.8) 

+ (Hj-d)^ T 

Therefore 5% confidence bound is given by, 

L ^05 = (3.9) 

and 95 %> confidence bound is given by 

^.05 ’-^T ^T ■ (3.10) 

Another method for computing confidence bounds is to 
select an approximate density function fQ,(t) for the TOP 



33 


event, Apostolakis and Lee ^ 2 ] have used Johnson 

-'Ll 

distribution and have obtained results in good agreement 
with Monte-Carlo simulation results. The Sg distribution is 
given by 


fj(x) 


cr^ (l-x)x 


Y 1 ln[ (1-x) /x]-ii,r ( 

Oxp [- :: -35 ^ ] 




(3.11) 


where % is TOP event probability. 


For low probability events distribution reduces to 
lognormal distribution and tliis explains the good agreement 
of results with Monte-Carlo simulation where lognoraal 
distribution was fitted on the sample space simulated for the 
TOP event. 


For a lognormal distribution irith parameters p and a 
the 5 /<> bound is given by 

= exp (|j, - 1.6145 ff) (3.12) 

and 95 /./ bound is given by 

U (l-*- + 1.6145 o) (3.13) 

Another notew'orthy distribution is heibull. Experience 
stipulates that ’feibull distribution can closely approximate 
mixtures of distribution and thereby adequately handle 
hetrogeneous population. The flexibility o f Weibull distri- 
bution is a great asset. The density function of ''.Jeibull 
distribution is given by 
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§ (|)P-^ oxp [-(f)P ] 


(5a4) 


wlacro a and (3 arc paramotors of Woibull distribution, p is 
shape paraactor and a is location or scale paramotor. 

Thu 5 confidence bound is given by 

L = a (.0512932)^/^ (3.15) 

and the 95 % confidonco bound is given by 

= a (2.9957)^^^ (3.16) 

3 . 2 MOHT E CARL O SIMIATION [ 5 J 

1/hcn complexity of the fault troo forbids analytical 
treatmont l^bnto Carlo simulation is used and is considered a 
very officient method. Evon in ease of simple fault tree whoso 
basic coLipononts can have a variety of unavailability donsity 
functions Monte-Carlo simulation offers an efficient and 
realistic treatment of data to generate failure data for TOP 
c ve nt . 

Given a boolean function^ Y = f(?i2_j ^^2’ ••♦s ^n^’ values 
of location and dispersion parameters of independent variables 
and associated density function th^ Monte-Carlo simulation 
consists in sampling Xj_p ^ 2 , .... from input variable 
distributions and evaluating the function T. This sampling 
is repeated B times and resultant sample space of Y arc ordered 
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in ascGadin.j value 72 <C. * • • obtain tlxo limits 

of the distribution. 

Monte Carlo simulation requires considerable computer 
time dopondiniij, upon sampling size is E". To use the method 
cfficient3.y failuro-rato coupling tochniquo is used in which 
only one sample is drawn for all similar , generic class of 
faults and common modo failures. The effectiveness of this 
modification is bettor appruciated while analysing largo 
fault trees. 

Computer code SAMPLE [5 ] is used for monto carlo 
simulation with modification to incorporate IJoibull distri- 
bution, 

3.3 FAULT TREE QUAITIFIOATIOl FOR SMSRt 

Fault tree in Fig. 3 .I is used to find TOR event 
unavailability 13 ^ methods discussed in Sections 3.1 and 3 . 2 . 
CO'.imon couise failures are idenbifiod and assuming a scheduled 
testing and maintenance every month, unavailability contribu- 
tions due to common cause failures, testing and maintenance 
are included using techniques discussed in Appendix C. The 
data used for events El to E15 is taken from Appendix C and 
tliat for event E16 from Monte Carlo simulation of EMSR to 
produce time to fall to support SP. Results of Monto Carlo 
simulation of EMSR, data used, point estimation and Monto 
Carlo simulation of fault tree of EMSR are presented in Table 
3 1 computation of point estimates and confidence bounds 
is given in Section (3«3.l). 
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3.3.1 COr-IPUTATIOI OP POUT ESTIMTES OP THE UHAVAILABIIITY 
OP A SINGLE EMSR; 

Fault Exposure Time = 720 hrs. (1 month) 

• SP Jh- O ont ri'but ion ; 

16 

Looloan expression for TO? event; T = 

k=l 

Unavailability Q(T) = ^ Q(E^ ) 

k=l 

On average not more than 4 shutdoTm are expected in a year. 
To be on safe side, wo assume 1 shutdown in a month. 


'^ROD 


0.0393 


B . Tost a nd Maintonanco Po nt r ibujion ; 


Test and maintenance unavailability due to instrument 

t* 

channels [5] =1.2x10 


ii) For mochanicalsystem 'Drop Tost', to check the 

time to fall is conducted. Assuming it can take 
a minimuiii of 7.5 min and a 2 hr. maximum time, 
the lognormal average is 0.72 hrs . and 
unavailability due to testing is ( 5 ) 

iii) The maintonanco downtime has a lognormal ■ 
average of 7 hrs. (a range of 0.5 hr. to 

24 hrs.) and assuming maintenance frequency 
to bo once in 4.5 months on average (asso- 
ciated with 90 mngo of 1 month to 12 months) 
the unavailability is 


= 1.0 X 10‘ 


= 2 .1388x10‘ 
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^ * Co rii~'io ii C ause Pailur o C ont rib ut ion i 

As has boon discussed in Appendix C, 

Comiion cPi-uso fa-ilure unavailability 

Qom = J^27JQTi2TTQ0iT' 

C.omrnon cause failure unavailability = 8.03 x 10”"^ 

D. Total unavailabi3.ity based on 1 mo. 

_,2 

testing and maintenance schedule = 4.245 x 10 

® • O oniputation of Oonfid o nco B oun ds on TOP Evont s 

By Taylor series expansion of unavailability expression 
and taking* second moment of both sides it can bo shown that 

16 

1^-2 (QnJ 

i=l 

+ **" 1 * ^2 ''’' 2 ^^ 2 ^ 

For B16 because of lack of informa,tion only point estimate 
of unavailability^ is available therefore dispersion informa- 
tion is not included in calculating |j, 2 (Qi<)* Substituting 
appropriate values? 

1^2 (Qgn) = 2.5446 X 10"^ 

hence j Standard deviation = 


0.0232943 
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.ni. ConfidGiiCG bounds using Tchobychoff inequality 
[Eqns. 3.9 and 3.10]; 

Lower bound, = 0.0 

0,05 

[Inner bound, Uq = 0.1468151 

E2. ConfidoncG bounds assuming a lognormal distribution 
for TOP event [Eqns. 3.12 and 3 J.3] " 

Lognormal paramotors arc: [.i = -3.1594284 and a = 1.3552 

Lower bound = 4.7605 x 10 

Upper bound = 0.3785 

E3. Confidonce bounds assuming a Uoibull distribution for 
TOP event. Uoibiill paramotor p and a can be computed 
knowing mean and ^ 2 * 

p = 1.945 
a = 0.0478746 

hence, 

L. = 0.010401 

0.05 

L. = 0.08414 

0,95 

3.4 FAULT TEEE QUANTIFICATION FOR LPSR; 

Fault tree of a single LPSR is shown in Fig. 3.2 and 
is used here for determining TOP event unavailability using 
methods discussed in Sections 3.1 and 3.2. A scheduled 
testing and maintenance period of 30 days (720 hrs) is assumed 
and Common cause failures arc identified and their contribution 
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to tlio overall unavailability io computed using techniquos 
discussed in Appendix C. Confidonco interval and point 
estimates arc computed in Soction 3.4.1 and results along with 
data used and tho results of Honto—Carlo simulation of 
LPSR and Fault tree of LPSE aro prosentod in Tables 5.2. 

3.^.1 COi'IPUTATIOlT or POIET ESTIMATES OF THE UtTAVAIIAEILITY 
or L SIEGLE LPOE: 

• Har dware P ont r ib ut i o n i 

Boolean expression for TOP event 

r \ ^2 

= T = (Ell) ( 1(E12)U( U Sv) 

h=l ^ 

h ^ 11,12,15,22,23 
Unava-ilability Q(T) = Q(Ell) .Q(E12) 

23 

+ Z. Q(Ei,) 

k=l 

k5^11,l2,15,22,23 

On average not more than 4 shutdown are expected in a year. 

As LPSE is e backup system it will bo called upon operate still 
less frequently. However, a frequency of 1 per month is 
assumed to include events defined as failure per demand. 

Q = 0.0723944 

Posting a nd Maintenance Contri bution; 

Same as for EMSE Q = 3.1388 x 10“^ 
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Cause Failure Cori'trlb u'bioii; 

Pair of ovonts causing corainon cause failure 
are : (EI 5 , E18) , (B20,E22) and (E2l,E23) 

= Q(E15)^^^ + Q(E20)^'^^ + Q(P21)^'^^ 

= 2.7 X 10"® + 3.9540 x 10"® + 6.49 s 10"® 

Hence = 6.5307 X 10”® 

D. Total Unavailability of a Single IPSR = 8.206 x 10“® 

E . Co mputs . tion of Confidence Bounds on TOP Event ; 

Using Taylor's scries expa^nsion of unavailatiility 
expression and taking second moment of both sides it can be 
shown that 

23 

~ 3^ i 1-1-2 "i" ^12* ^2 ^^^11^ 

i=l 

iAl, 12,15, 22, 23 
+ '' ~'l ^15 M'2^*^15^ 

+ \ QgQ P2 (*^-20^ i °^22 ^2 ^^22^ 

+ P 2 (testing and maintenance) 
where subscript i denotes event Ei. 

Events El, E2 lack information on the dispersion of 
unavailability and therefore they o.re not included in calcu- 
lating P2(^)* Substituting appropriate values: 

,a2(Qgn) = 0.0118782 

Variance (Q^) = 5.1444 x 10 

hence. Standard deviation = 


0.0717249 
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El. Conficlonco Bounds Using TchcUycliGff Inequality 
[ Eqn. 3.9 and 3 . 10 ]^ 

Lower bound, I = 0 

Upper bound, U^ = 0.39^593 

E 2 . Confidence Bounds Using a Lognormal Distribution for 
TOP Gvont [Eqn. 3.12 and 5.13]: 

Lorgnormal paramo tors arc; \i = — 2 . 5003046 , 

c = 0,5327093 

Lower bound, L = 0.03472 

Upper bound, ^95 = 0.193932 

B3. Oonfidonco Bounds Using a Ucibull Distribution for TOP 
event [Eqno. 3.14 and 3.15]; 

Ucibull distribution parameters arc; p = 1.153? 

a = 8.62 X 10 “^ 

Lower bound, ^05 = 6.5575 x 10“^ 

Upper bound, Uq ^>5 = 0. 22324 

3,5 COMPUTATION OP SYSTEM UNAVAILABILITY; 

Substituting in tiie unavailability expression for the 
EMSR and LPR system givon in sections (2,1.1) and (2.2.1) 
respectively, the following values wo obtain system 
unavailability due to chance failure and testing and 
maintenance outages, 
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~ 3 z 10 ^/demand (obta^inod from rof. [22]) 

= /!.55 10“^/dGmand (from Table 3.10) 

2 

Pioan unavoil.ability of EMSR systom = 2.39 x 10 ” /demand 

and q-|^p = O.l/donand 

Moan unavailability of IPR shut-off system = 0. 0158/domand , 


Th'j computed moan unavailabilities are for a fault 
exposure time of 720 hrs. with the assumption that one shut- 
down may bo expected during this period. Since 5, on average 
four shutdowns arc expected in a year the values obtained 
arc slightly conservative. Since onls*" few basic components 
have their failure rate expressed as unavailability per 
do:i^and, wo can safely express sj^stoia unavailability in terms 
of system failure rate. Hence ; 


^ BHsn, 

A 


system 


= 3.319 X 10 

= 2.1944 X 10' 


LPRj, system 
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Poot note s to fals ie 


1. P-vent shaft fails to rotate or shaft locked in 
hearing includes two independent events, viz 
event A and event B as shora helow; 


Shaft locked in bearing 

= [Failure of Bearing] OR [Failure of Shaft] 



Event A Event B 


2. E2 and E5 will lead to Coroinon mode failure. TOP 
event will occur through failure modes initiated 
by either B2 or E5. Because E2 and B5 are same 
both the failure modes will occur simultaneously 
and thus lead to a higher unamilability, and 
appropriate term will have to be included while 
computing TOP event unavailability. It has to be 
noted that one of the two events B2 and E5 is 
redundant . 



Failure of a single EMSR 
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Tablo 3,1.0; Monte-Oarlc Simulation of Pault-Troc of EMSR 

TOP event unavailability expression iS;, 

16 

Q(l) = 2 Q(\) + Q(E17)+'' (E18)+Q(E19)+ Q(E2) .Q(E2) .Q(E5) 

k=l 
k5^5 

where El6 ; Testing and maintenance of instrument channels 
Ei 7 Testing of mechanical system 
i;18 ; Main’:onanco of mechanical system 

Sample size = 1200 

Parameter ; Unavailahi3.ity of a single EMSR 
Fault Exposure Time ; 720 hrs (l month) 


Description of Parameter measures 


Values 


1. 5 Percentile lower limit on Q(T) 

2. 95 Porcontile upper limit on Q(T) 
Normal Dist ri bution M.L.E s timates_ 

3. Mean of Q(T) 

4. Standard deviation on Q(T) 
Logno rma l Dist r ibution M.L. Est im ates 

5. Median of Q(T) 

6. Standard deviation of T 

7. Parameter a 

Wejbull D istribution Estimate s 

8. Shape parameter |3 

9. Scale parameter a 

10. Mean of Q(T) 

11. Standard deviation on Q(T) 

12. Rocouimonded Distribution 


0.01524 

0.13469 

0.05536 

0.04459 

0.04337 

0.0423606 

0.68432 


1.866 

0.051243 

0.045513 

0.0250216 

WSIBULL 


NB: The frequency distribution of Q(T) is shown in Fig. 3.4). 
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TaTolc j.2ki Monte-Garlo Simulation of liquid Poison Shut 03 ?f 
Rod for Time Required to Pill the Liquid 
Poison Rod; 

Sample Size = 1000 

Parameter; Time required by IPSR to fill IPR, T sec, 

NB; Iho frequency distribution of T is shovm 
in Pig. 3.5 . 


Description of parameter measures Values 


Remarks 


1. 5 percentile lower limit on T 

2. 95 percentile upper limit on T 
Formal Distribution M.L. Estimates 

3 . Moan of T 

4. Standard deviation on T 
Lognormal Distribution M.L. Estimates 

5 . Median of T 

6. Standard deviation 03i T 

7. Parameter a 

Woibull Distribution Estimates 


2.82735 

3.48055 

3.15597 

0.19938 

3.14956 

0.2025705 

0,06412 


Standard deviation 
of He-gas pressure 
in cylinder, LHT 
and G-HT = 5 percent 
of mean pressure 
in respective tanks, 

[32] 


8. 

Shape parameter (3 

19.567 


9. 

Scale parameter cc 

3.2163289 


10. 

Mean of T 

3.13 


11. 

Standard deviation on T 

0.1942566 

* 

12. 

Recommended distribution 

LOG HOEmL DISTRIBUTION 



13. Unavailability [Probability 

that T exceeds specified time) 

i) specified time = 6 sec. <[0.5x10 

ii) si)ecified time = 5 sec, <[0.5x10 

lii) specified time = 4 sec. ■<[_0.5xl0 


-15 

-10 

>-5 


Except when specific 
time is 4 secs, the 
unavailability of 
time bomd event is 
negligible. 
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i2B I 

• 1. Piipture of LPR is same a.s rupfiore of a pipe segment 
and has a veiy small chanco failure rate 
( A 5.22 :c 10 ^ per section) and is therefore 
neglected. 

2. fhe event of interest is PG )> PI + hj^ 

Where PG is pressure of I-Ie-gas in GET,, PL is pressure 
of Ee-gas in LET and hj^ is pressure of liquid 
column head in LET and pipe P2 at point A. It is 
assumed that PG, PL and hj^ are Eormally distributed 
random variable having a iStandard deviation of 5 percent 
of the mean value [32]. 

PG; (J-Q. = mean = 2,1 ICgf/cm^, ag_ = Standard deviation 

= 0.105 

PLs = 1.75 Kgf/cm^, = 0.0875 

hp: bp = 1.26 Kgf/cm^, 

event PG> PL + hj^ PG - PL > hj^ 

Pr [PG-PL> hj,] = Pr [X> 

whore S is new random variable having \x = 0.55, 
a = 0.137. 

It can be shown that Pr[l')>' 1.26] = 5 xlO ^ 


j.i, J . * ■ 
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/ 

5. Events Elly E15 and E18 although same cannot be 
off-hand declared redundant. Only E15 and E18 are 
redundant. Houeverj because they simultaneously 
initiate different failure 'mocles of TOP event 
common mode failure contribution hasi to be consi- 
dered. Event Ell being coiipounded with El2y and 
each being a low probability event, can be treated to 
have negligible effect-Common mode failure contribu- 
tion of E15 and E18 is to be included. 

4. Events El2 and E19 althou^i same can neither be 
treated as redundant or as initiating common cause 
failure because progress of failure chain initiated 
by El 2 is constrained by event Ell. 

5. Apart from tank failure which will cause loss of 
liquid poison? in all other possible circumstances 

if there is liquid in IHT, however little, it will be 
definitely available at point A. During shut-down the 
liquid poison in EHT drains and is recirculated by 
feed pumps bade to EHT where its level is monitored by 
level sensors. Therefofe E5 can exist after shutdown 
due to failure of feedpumps or level sensors or during 
scheduled testing and maintenance period. It is only 
during maintenance period that B5 can occur unavaila- 
bility due to which is considered in B25 and E26. 

6. Events (E20 and E22)and (E21 and B25) are redundant. 
Common cause contribution of E20 and E22 and that of 
E21 and E23 has to be included. 



Failure Liquid Poison Shut-off Rod 
















LEGEND OE DIG, 3.2 ; 


A Liquid Poison Unavailable at Point A (Pig. 2.3) 

B He-gas pressure in GHT? PG, is greater than^the 
total head of liquid at point A, P2+PL (PL is 
Ho-pressure in LET). 

C Tie-pressure in LHT is below the specified limit 

D He-pressure in GET is below the specified limit 

B He-pressure in Booster cylinder is below the 
specified limits 

B Valve VL fails closed 

G Valve V3 fails closed 

I Valves V3 and V4 leak 

J Failure of differential pressure controller 
X Low pressure side valve leakage 

L High pressure controller fails 

M Valves V3 or V4 leak 

Ns,0 Scram signal not received. 


HBs For description of other events refer to Table 3.2B. 
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r’n!’ 


-b 


Ic 3.2Ct 


Mono t-Carlo simulant ion of fault tree of IPSR. 


TOP event unavailability is given by, 

^ Q(Et.) + Q(E11).Q(E12) 

lcAl.12,15,22,25 

+ Q(E2.;-) + Q(E25) + Q(E26) + Q(E18)^^^ 

+ Q(E20)^^^ + Q(E21)^/^ 

S' Jcst' E24; Testing and maintenance of instrument channels 

E25 ; Testing of fluidic system 
E26; Maintenance of fluidic system 
Sample size ; 1200 

ParaiMcter; Unavailability of a single IPSR 
Pault Exposure Time : 720 hrs. (1 month) 


I'acacription of Parameter Measure 


Value 


' 5 percentile lower limit on Q(T) 

' ~j (-:=95 percentile upper limit on Q(T) 

nal Eistribution M.L. Estimates 

'•' ‘i. ican of Q(T) 

' .i '***1 "Standard deviation on 0(T) 
r f: ;w.'vVn3;vriormal Eistribution M.l. Estimates 
.t'. . .riedian of Q(T) 

-JL* irstandard deviation of Q(T) 

rt?‘5*fi«i«'?*^a-rametcr <y 
h „ C3!jai«J •• Eistribution Estimates 

•iwTtEhjrC iiapo parameter p 
parameter a 
Of Q(T) 

deviation on Q(T) 




CO' * 



J ended Eistribution 


0.03670 

0.25937 

0.11794 

0.08717 

0.09661 

0.079934 

0.81890 

2.0798 

0.11382 

0.1008388 

0.05049 

WEIBUEI 


•I'equency distribution of Q(T) is shown in Pig. 3.6. 



Component dimension cr= 0*05 % of mean 
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EMSR : Monte-Carlo simulation of EMSHUT 



o • Unavailability 

Fig. 3-4 EMSHUT •' Unavailability frequency distribution 




p Unavailability 

feg, 3-6 LPSHUT : Unavailability frequency 


CHAPTER 4 


REACTOR SHUT-DOWN SYSTEII RELIABILITY ESTIMTION 

In Chapter 3, unavailability of a single, EMSR and LPR 
has been corfxi^uted and therefrom the failure rate of these 
systems. This failure rate is to be interpreted as chance 
failure rate and ¥as obtained by assuming basic component 
failure mode to be chance failure therefore using constant 
failure late values for the time period of interest. Such 
an assumption is justified if 'ideal repair on failure' or 
to some extent 'ideal preventive maintenance' is undertaken. 

In addition to chance failure the component will be subjected 
to aging and this can have significant effect on the component 
unavailability over a span of 1 year. It is therefore 
meaningful to include expected deterioration in basic 
component life expectenc 3 r over a period of 1 year in relia- 
bility estimation. 

4.1 Tllffi DEPENDENT FAILURE RATEs | 

If a component failure can take place due to different ^ 
physical mechanisms viz,, chance failure and wear out the : 

component hazard rate is 'given by the sum of the hazard 3?ates s 
due to the chance failure and wear out. Hence ^ i 

i 

h(t) = h(, + (4.1) j 

I 

i 

I 
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ncro ii^ j_g cliance failure rate (constant) 

wearout hazard rate 
h(t) is component hazard rs-te 

h^(t) is hazard function of time to failure distribution. In 
reliability practice Weibull is the most popular time to 
failure distribution[26j27] because it is flexible and 
experience substantiates its use. Hazard function for 
V/oibull distribution is given 

h(t) = t^"^ (4.2) 

where |3 is shape parameter and a location parameter. Because 
woarout results in progressive deterioration h(t) has to beac 
a monotonically increasing function hence ^ 1. 

The problem inherent in applying this concept to the 
present problem is that no data is available in choosing a 
value of p and a. Life expectancy of most of the components 
is based on fatigue failure and a value of p around 1,5 is 
used [27]* Experience reveals that because of environment and 
working conditions at site mechanical components fail long 
before their predicted life expectancy, e.g., less than 10 7o 
of all roller bearings reach their predicted life. Japanese 
research in roller bearings show a reduction of life of 40 
to 60^ of rated life in low particle and jnoisture 
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concentration onvironmont [27]. Moreover, for highly reliable 
components largo value of p is chosen. Based on the conside- 
rations above, in the a.bsence of any specific information, 
p = 2 ivS chosen for the sake of analytical simplicity as it 
leads to a linear hazard rate. 

To find a a constraint is applied that at the end of a 
specific period the component should have a reliability R. 

Such a specification can be made even if the mechanisms that 
can lead to failure of component is not known. Reliability 
for Weibull distribution associated component is given by 

R(t) = ezp [- (1-)^] (4.3) 

?or p = 2 ^ 

“ = 1= S(TT 

using this concept one can specify required component 
reliability to assure a given system reliability. R(t) is 
termed here as 'target reliability', under aging. 

4.2 TIME DBPEIDEIT SYSTEM EEIIABIIITY; 

Knowing thus time dependent failure rate hj_(t) for 
i-th component or critical path, the system hazard rate can 
be computed by summation property of hazard rate for a series 

system, hence 

hft) = 

^ i 


(4. 5) 
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where hg(t) is system hazard rate. ¥e can now compute 
eouivalent chance hazard rate^ g and eq.ui valent Weihull 
parameters and pg. The unavailability of EMSR or LPI^ 

at any time t is given by, 

-A t 

= 1 - e ® + 1 - exp (4.6: 

Por rare events Ag is usually small, hence 

= As"^ + 1 - exp [-(|)^] (4.7 

Using the value of do.(i) i^ equations (2.l) and (2.3 ) one 

o 

compute unavailability of the EMSR system and that of LPRS 
system. The reliability of reactor shutdown system is 
given by, 

%1MSR‘ ‘^EMSRS^’*^^* %PRS^^^ 

where R(t) : reliability of subscripted system at time t 
Q(t) s 1 - R (t) 

and subscripts RSS ; Reactor shutdown system 

BMSRS : Electromechanical shutdown rod system 
LPRS ; liquid Poison rod shut-off system. 


can 


Results are presented in Table (4.1). 
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TaTole 4,1: Time dependent uityava liability analysis. 


MI3 ; 1. R(t) : Target reliability at tbe end of a year 

(t = 8760 brs.) of a basic component under 
aging alone. 

2, Number of basic components 12 in EMSR 
Affected by aging 15 in IPR 

5.Weibull distribution shape parameter p = 2 


Target 
Reliability 
R(t=8760 hro) 

Neibull distri- 
bution scale 
parameter a 

L’lISR System 
Q(t=720 hrs) 

IPR system 
0(1=720 hrs) 

Combined 

0(t=720hi 

0.90 

26987.6 

0.0324 

0.0271235 

8.78x10“ 

0.99 

87380.586 

2.47x10“^ 

1.8885x10“^ 

4.17x10“ 

0.999 

276947.83 

2.398x10“^ 

1.5908x10“^ 

3.815x10 

0.9999 

876000.0 

2.39x10“^ 

0.0158 

3.766x10 


CHAPTER 5 


COECEUSIOIS AND DISCUSSION 


5.1 CONCLUSIONS; 

The ohjective of the present study has heen to estimate 
the unavailability of reactor shut-down system of a CANDU- 
reactor. The contribution of the present work is incorpo- 
ration of the following aspects into the unavailability 
analysis of reactor shutdown system: 

1. Choice of Weibull distribution for failure rate of 
basic components, 

2. Study of the effect of time constraint performance on 
system unavailability. 

5. Inclusion of the unavailability contribution of 
mechanical and fluidic systems , 

4. Study of the effect of aging of basic components on 
system unavailability. 

5.1.1 The purpose of assigning a distribution to failure rate 
data is to obtain an estimate of location parameter with as 
low a variance as possible without loosing information on 
the shape of distribution. As has been mentioned in 
Appendix C, both lognormal and Weibull distribution were tried 
on the field data available and it is found that for all the 
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c omp on © 111:0 l/eiliull distribution gives a lower variance than 
Lognormal cliotributionj both of them resulting in almost 
equal value of location parameter. Therefore;, in present 
study Weibull distribution has been used to represent 
failure rate data. 

5.1.2 Both, the EMSR and IPSR are required to perform their 
function within specified time. The time taken to operate 
successfully by EMSR and LPSR is 'computed using mathematical 
models described in Appendices A,B and the Monte Carlo 
simulation results are tabulated in Tables 3-lA and 3«2 a 
respectively. The deterministic time required for successful 
opers-tion of EMSR and LPSR is 1.68 and 3.15 seconds, and 
specified upper limit on the time of operation is 2.0 and 
6.0 seconds. As can been seen froi^3.1A the time constrained 
unavailability of EMSR is negligible if the relative dispersion 
on component dimensions is less than 2 percent, which is the 
usual case. Similarly riCable 3.2A depicts ihat time cons- 
trained unavailability of hPSR is negligible. Therefore, it 
can be safely concluded that with the present day manufactur- 
ing practices the time constraint unavailability is negli- 
gible if the shut-down system is designed to operate two 
times faster than the required speed, 

5.1.3 As has been mentioned in Chapter 1, major contention of 
the present study has been that the failure of mechanical and 
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and fluidic sys ggitis wi3.1 contribute significantly towards 
fcliG unavuiln, bility of reactor shutdown system. Results of 
present S'cnc^y support this assertion. Table 5.1 compares 
the results obtained with those reported by VASH-1400 and 
it can be seen that the affect of mechanical and fluidic 
system unavaiLability is to increase the system unavailabi- 
lity by an order of magnitude. 

5.1»4 Prom the results presented in Table 4.1 the effect of 
aging of components on system unavailability is obvious. 
However, if components are designed to have a reliability 
of 0,9999 at the end of 8760 hrs. (l year ) the affect of 
aging is negligible. 

5 I 2 SPSCIPIIF& MINIMIli IE7EL OP REDUHDAHCYi 

In a m/n (a minimum of m components should operate) 
redundant system depending upon the value of the unavailabi- 
lity of a single component, the system reliability can be 
either greater or lesser than component reliability. However, 
it is desirable that system reliability be greater than the 
component reliability. Por a specified value of m, and 
various values of component unavailability, values of n can 
be calculated such that above mentioned criterion is 
satisfied. Table 5.2 tabulated desired redundancy for 
m = 12 and 46. The information contained in this table 
can be used as a design aid. 
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5.3 proposal FOR FURTHER ¥0 EEs 

In tlie present work fault tree model of CAHDU protec- 
tion system is developed and has been used to estimate the 
unavailability of the protection system on the basis of 
^specified design, systems logic and testing and maintenance 
procedures, Ho attempt has been made to conduct postmortem oi 
design and main 'cenance procedure adequacy. The present work 
can be extended to includes 

1* Analysis of partial insertion of rod. 

2, OptimiJim decision on testing and maintenance 
procedures and the value of n, 

3. Reliability analysis against inadvertent trips . 

5*3.1 To shutdown a reactor a definite amount of negative 
reactivity is required to be inserted. This poison is 
distributed in m rods so as to achieve an effective poison 
introduction throughout the core. Usually, m rods contain 
more poison than is needed for reactor trip. Moreover, since 
stuck-up rod and partial insertion accompany poison inser- 
tion they are not failures in a strict sense. Defining the 
TOP event so as to include amount of poison inserted instead 
of number of rods will produce more realistic results. 
Furthermore, four shutdown a year are expected. Depending 
upon the duration of shutdown and the number of preceding 
shutdowns the effectiveness of poison will be reduced for a 
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subsoqucnb shutdown, [piie implications of this aspect 
alon^Tiwith pavtial insertion of shutdown rods needs to 
bo studied. 

5. 3* 2 Numbor of redundant componerts required can be 
reduced if frequent testing and maintenance is undertaken. 
']?liis, however, affects the system performance and increases 
unavailability. An optimisation problem can be formulated 
to minimise the cost of providing redundant components, 
testing and maintenance procedures and the cost of reduced 
output of reactor system as a function of n, frequency of 
testing and maintenance and the duration of testing and 
maintenance procedures. 

5.3.3 A 'failure' can be either a 'Safe failure' or an 
'unsafe failure' depending upon the consequences. Inadvertent 
trip of a reactor is a 'safe fa-iluro' from the point of 
view of reactor safety but is certainly a nuisance from 
reactor operations consideration. It is desirable that 
spurious reactor trip should not occur and an analysis of 
this will be needed to determine reactor power system 
availability. 



Table 5.1s Unavailability per demand of Reactor Protection System, 
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Talole 5 , 2 : Required Fiun'ber of Redundant Components 

RB 2 q 2 component unavailability 

m 2 siDGcified minimum number of components 

r - 2 minimum number of redundant components required 

to give a lower system unavailability compared to 
component unavailability. 


m = 12 

Range of q 

r 

m = 46 

Range of q 

r 

1. 0.0 ^ q c 0.07 

1 

0.0 ^ q < 0.02 

2 

2. 0.07 ^ q < 0.15 

2 

0.02 :< q C 0.05 

5 

3. 0.15 ^q<f 0.19 

5 

0.05 q < 0.05 

4 

4. 0.19 ^q<: 0.25 

4 

0.05 q < 0.07 

5 

5 . 0.25^ q <: 0.50 

5 

0.07 < q < 0.08 

6 

6. 0.50 < q < 0.55 

6 

0.08 < q < 0.10 

7 

7. 0.55 < q^ 0.59 

7 

0.10 ^ q<i 0.12 

8 

8. 0.59 ^ q^ 0.45 

8 

0.12 q_^ 0.15 

9 

9. 0.44 q 0.46 

9 

0.15 ^ q^ 0.15 

10 

10. 0.46 ^ q ^0.49 

10 

0.15 q < 0.16 

11 

11, 0.49:^ q C 0.52 

11 

0.16 ^ q <■ 0.18 

12 

12. 0.52 ^ q 

12 

0.10 r^q 

46 
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APPENDIZ A 


MATHEMATICAI MODEI FOR EIECTROI® CHARI CAL SHIJTDOWR ROD 


The Eiodol computes time required Ly shutdown rod to 
bra verso the distance from point of suspension down to the 
support in guide tube against tho forces due to friction 
between various components, damping due to moderator i,e. 
txiotfa'nQ/y vand viscous drag and energy imparted to rotating 
components. The acceleration of rod at any given tine t 
after the release of magnetic clutch is given by the ratio of 
apparent weight to real weight times the acceleration due to 
gravity , hone o , 


a(t) = 


¥+wLq-Bq + Wl(t) -B(t) - P(t) 


dQ° 

Li V dt 


vr + w Lq + wi ( t ) 


(A.l)‘ 


In this expression. 


where 


l(t) 

II 

W+w1q 

“ ^0 

0 


B(t) 


v(t ) 

II 


t 

dt J dt a(t) j length of rope at time t, c| 
0 

= apparent weight of suspended system at i 
time t = 0 ; 

= Buoyenwijf (at t = 0) = aR^gH^ (A. 2)! 

I 

= Buo^Mty plus viscous drag at any time ; 

j 

t minus 

= gl(t) + f ^ l(t) v^(t) (A.:! 

0 

a(t) dt , velocity of rod at time t, cm/sec; 


I 



k-2 


^ 1 station of Frictional forcos. T'(±) i 

Sum of all frictional forces is given byj 

I'(t) = Ppi^Ct) + PppCt) + Ej,(t) + Pgp2 + Fe 23 

A* 1,1 Calculation of Pp 2 (t): 

Pig, A,1 shows the forces acting on tho pulley P2. 

Resolving the forces into vertical a.nd horizontal 

/ 

components, 

downward component = Tp + Pp^ + Wpp - 1^2^ 2 

Horizontal component = ^2^2 

Pressure on iho bearings Pp is given by, 

^2 = (^1 + ^P2 ^'^P2 “ ^2^2^^ + ^^2^2^^ 

if, pg is frictional coefficient in bearings then 

I'p2 = Pb 

Prom eqns. (A.4)and (A.5 ) , 

p^2 = ^4 l^^^l ^P2 ^P2 " ^2^2^'' (^ 2 ^ 2 )^] U-6) 

whore, ~ downward tension in rope 

= W + wLq — Bq + wl(t) “ B(t) = T(t) (a, 7 ) 

^2 = TpEp 

= [T(t) - Ppg] ^2 

is oonsidorcibly small oonparGd to T(t), hence 

Jrc 


T 2 « T(t) Ep 


(A, 8) 



Substituting (A. 7) -^.nd (A. 8) into (A.. 6) gives 

^’p2 = C (l-E2S2)T(t) + l'7p2 ^ + E2C2T(t) (A. 9) 

A. 1.2 Calculation of 


Pig. A. 2 shows forces a.cting on pully PI. The rope is 
not assumed to be weightless. Then 

T2(t) + Ppp = T2(t) + (A. 10) 

^3 = (T^-Ppp) Ep (A. 11) 

Then pressure on bearing P 2 is given by 


Pp = (T^Sp + T^Sp)^ + (T^Cp - TjCp + ¥pp) 

Since Pp-j^^ T^, T^j ss T^Ep 
hence 


Ppp = pp [(l+Ep)^Sp^TQ^ + (d-Ep) Cp Tq + Wpp)2]2 (4.1^ 


A. 1.3 Calculation of Pp('b) 


Figure A, 3 shows forces acting on the drum. Since 
rope is not weightless, 


Tj + Pj3 = Tj + wl,j,3_ Oj 


(A. 13 ) 


Thrust acting on bearing Pp is given by, 
_ 2 


'D 


(T 0 P 3 + Wj,)2 + T=iS2 


Hence, 




/a -1 >1 a 



A-4 


1 • 4 Contribution to F (t) b y gear s gl, g2 and &3 « 

The friction duo to shaft bearing geo.rs and bearing 
for gl and g2 is negligible. It is therefore sufficient to 
consider friction between i’oar teeth. To compute this term 
sliding friction (coefficient of friction between the 
teeth of two gears is considered. At any given moment on 
average 2 pairs of surfa.ces are sliding against each other. 


Torque due to tension T^ about the axis of 
drum = T^(t) Rj^ j 

neglecting the torque lost in bearings due to friction, 
the force acting on the gear teeth is approximately given by 


T3'(t) Eb 

Hence friction due to gears g2 and g^? 


(A. 15) 


Pg^2 - 


(A. 16) 


Because g2 and gl arc of same size and once again neglecting 
loss of torque due to friction, 

Pg2i = 2pg 


(A. 17) 



A»5 


A . 2 Conn3utn.tion of Deceleration duo -to Moment of Inertia 
of Rotating Components ; 

The inortial effect of all rotating components other 
than drum on the acceleration of shutdown rod is negligible 
because of very low moment of inertia. The problem is now 
that of an apparent mass m suspended by a rope wound over a 
drum of mass M, The initial acceleration of mass is a^. 

It can bo shown that because of the inertia of drum the 
modified acceleration a is given by, 


n 


a z= 




I- + la ^ 
drum 4 


(A. 18) 


where D ; diameter of drum 

I, t moment of inertia of drum 
drum 

The appn,rent mass of rod is given by 

V/(t) + wl(t) B{t) - ir(t) 


m(t ) 


1 

7 


M 


a. 


(A. 19) 
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Notatioiis_: 



a(t ) 

0 

acceleration of rod at time t, cm/sec. ^ 

f 

f$ 

Barcy's friction coefficient 

g 

0 

accelera 'cion due fco gravit37', Cii/sec.^ 

¥ 

0 

o 

weight of rope, ICgf/cm. 


r: 

Cos © 2 ^, = Cos © 2 !> Cj = Cos 9^ 

B 

e 

o 

equivalent diameter of rod, cm 


0 

diameter of component i, cm 



exp (-laO^), 

p. 

1 


frictional force due to component i 

Gij 

0 

o 

gear ij, 

Ho 


initial length of rod in water 

li 


moment of inertia of component i. Kg cm 

Lq 


initial len^gth of unwound rope 

Hi 


pulley i 

R 


radius of rod, cm 

% 

: 

radius of component i 

Si 


Sin © 2 ^ 

T 


tension in rope, Kg'f. 

¥ 

« 

weight of rod, Kgf^ 

P TT 

w 

0 

density of water 

l-'B 

0 

coefficient of friction in hearing 

IJ-S 

; 

sliding coefficient of friction 



PIG A.l 


PUILET P2 




APPEIDIX B 


I-IATHEMAPICAL POE LIQUID POISOU ROD SHU'T-OPP 

The model computes the time recxuired to fill a liquid 
poison rod o^fter receiving the scram signs.l. As was described 
in Chapter 2^ the liquid injection into the rod takes place 
because of the equalisation of pressures in the tiro tanks 
(IHT and GET) triggered by the scram signal. Because the 
He-gas pressure in the two tanks and the liquid head in 
the vpiping is continuously changing the liquid flow is 
essentially unst<eady 5 so will be the flow of gas from one 
tank to another, and the problem therefore involves interac- 
tion of gas flow circuit and liquid flow circuit. One should 
also include the time characteristics of the opening of 
valve. ¥e have, however, assumed that after receiving scram 
signal 100 opening of valve is available in order to 
avoid complications of dynamics of fluid flow because of 
changing aperture of valve. To include the time delay effect 
a correction time is applied to the time required to fill the 
liquid poison rod. 

B.l LIQUID PLOW CIRCUIT; 

Pig. B.l shows the liquid flow circuit of the system 
at some time t. Thermodyna“iical property changes of liquid 
poison are neglected. The control volume at time t as shown 



B-2 


by dotted lines and we now apply basic laws of continuous 
media to this control volume. ■ • 


C ONT INUI'iT EQUAT lOi'T ; 

The integral form of continuit.^ equation is 

9 f 


d> ^ 


0 ' 

c . s. 


V. dA = 




! 

V 


dv 


(B.l) 


Because liquid poison is incorapressible, = constant 

hence A^^ = V2 -^2 (3.2) 


Mo mentum Equation s 


For a control volume fixed in space, the momentum 
equation is, ^ 

: ^ ^(pV.dA)-i- ^ j v"(pdv) 

c.s. C/t c.v. 




(B.3) 


Where = Force distribution acting on the material inside 

the system the system (body force) 

Fg = Surface forces (force distribution acting on the 
boundary of system) . 


For simplicity, shear stresses are neglected. 

In applying equation B.3 to liquid .flow circuit the 
convention is that the forces acting in the direction of flow 
are positive. With reference to Fig. B.l, 

i-B =Pl g [aMi + 


(B.4) 
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'S 


Reaction force acting on fluid in tank 1 
+ Friction force + Forces 8,cting on th.e end 
surfaces of liquid. 


[P i P o- I 1 f A i ~ ^2 ^2 ( , h, 

h ^ h 


^1 % ^2 


' ^2 ^2* ^ ~ 

On algebraic manipulations, 

~ A2 f 2 S [^1 ^-2 ~ '^4^ ■*' (^i“^2^-^2 


(B.5) 


i ^2^2 tl k. -^ 2 -" A +A 




D, 


] (B.S) 


Term, 



Y ■ ■ 


c^s* 


V 


Tpdv 


(fv.dA)| = - +t^Yl A 2 = {1^2^ (1- jr) 




V 


^idl^ 


+ 


V. 


V^A2 dl2 


4 ^ 


Y 


1 

(3,7 


fl^4 ^^4 


= V- 


Pp "^2^2 ^(=^2 + I3 + I4) 


It^ 


A. 


= ^2 ^ ^2 A2 ^1 ^2 '■ ^3 ^ 



B-4 


hone 0 - 


9 

3^" 


dY. 


vfdvj 


A-, dl dl, 

^ ^2 ^2 % dir ■*■ df") 


,, A. dY^ 

^^2 ^1 ^2 ^3 + ^ a ) 


'4^ dt 


+ 2 i Ao Yi 
2 2 


(B.8) 


Equating eqns. (B.6) and (B,8) + (B.?), and on simplif ication. 


where, 


c^(t ) 

U V p 

+ C2(t) Y^ - C^(t) = 

c^Ct) 


■ g( ^ 1^ + I2 + I3 + 1 

C2(t) 

= 

: j^d - ^0 + 2. 1 + 



"‘‘I' ^ ^2 - ^ 4 ^ 


(B.IO) 


A ^ in * 

^ -S-n,2_l) (B.i: 


Ai 


(B.12) 


B.2 GAS ELO¥ CIRCUIT: 


The problem of gas flow circuit needs to bo solved to 
produces functions P-]_(t) and P 2 (t), The basic problem is 
find gas flow from a high pressure tank H to a low pressure 
tank L, The fluid is compressible and because of changing 
pressure the flox^r is unsteady, there is friction due to 
interconnecting pipe and thermodynamic property changes will 
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take place. Another element of complication is due to the 
fact that gas flow will he near mach number of 1. 

An exact formulation of the problem is possible [20] 
but because of the computational complexity the unsteady flow 
is assumed to be steady over a small time interval. In case 
of small interconnecting pipes the gas flow can bo assumed 
adiabatic [29]. Therefore, the problem is now of solving a 
steady, adiabatic gas flow through constant area duct with 
friction. This is a standard problem whose solution is 
available in advanced texts [29]. Below we give relevant 
results. 


Pig. B.2 illustrates the physical situation. The 
equation relating the two pressures Pjj and is, 





1 + 


M. 


H 


1 + 


m: 


(B.15) 


Mg- and are velocities of gas at the two ends in 
mach nimbers. Prom this equation given Pg-, Pg and Mg 
can bo found. By using mass balance and gas law pressure 
changes in H and L can be computed. Mg- can bo obtained by 
assuming isentropic pressure change in high pressure cylinder. 
This can be done by using [ 29] » 


Mg 


2 

K-l 



K-1 

K 


1 ] 


1 


(B.14-) 
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where p is the present pressure and is stagnation pressure 
(pressure corresponding to I'Iq = 0), in our case initial 

pressure . 


¥g now extend those relation to the LPR shutoff system. 


B.2.1 BOOSTER CILIITDER^ 


The exit velocity of gas from booster cylinder is 
given by using oq.n. B.IA, 





[(■ 


3 K-1 

•oBn~X~ 

P ' 

-^B 


1 ] 


1 

T 


(B.15) 


Hence, Vg = CM-g = Mg 

Assuming steady state condition for small time interval t, 
gas outflow rate = j-g A Vg 

whore A is cross-sectional area of interconnecting pipe. . 


“ij" 


Also, Gas outflow rate 



V. 


B 


R- 


B 


dP_ 

dt 


where, SS 



interval t. 


P Po T 

and it constant over time 

I B ^oB -^oB 

Therefore, equating two gas flow rates, 


dPg 

“mb' 


^Avg 


V. 


B 


m RT (Ideal Gas Law) 


(B.16) 


Since, PV 



S = T [ i “ . 1 am ■, 

^Pdt mdt-' 


lienee 
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dTj, 


= ''bC 


X 

Pg dt- 


i ^ 

lil-n dt 


{B.17) 


where. 


m- 


B 




B.2.2 Gas Header Tank: 


Gas exit velocity is given by. 


M. 


P 

' [(¥) ^ - 1] 


K-1 


G 


Hence v 


G 


Mg IK 



(B. 18 ) 


Assuming stcacly stabe conditions prevail. 


gas outflow rate 


also, gas outflow rate 


" u 

d(VgPg) 

~dPE^ 


- [V, 


dp 


G 


dV, 


G 


G dt ^G dt 


dt 


Pg A 2 ^2 


Equating the two gas outflow rates , 




^ C “=6 A Vg - Pg Ag Yj] 

''G 


(3.19) 


and it can be shown 


that , 
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dTp (jp 

_ m r 1 & 

[ p- “at 


tfl * J. ^!g , 
Vg mg at J 


(B.20) 


where m. 


XQ. = mass of gas in GHT and LPPu 
33.2.5 Liquid Header Tanks 


Gas enters LHT from two sources viz. GET and Booster 
cylinder. Velocity of Gas received from Booster cylinder is 
obtained by solving eqn. (B.15), 


M. 


LB 


2 

[(pS) 

■^L 


m: 


•B 


T 4. IL-i ]\/[^ 

^ 2 B 


K-l -,“2 

- ] 


(B.21) 


Similarly, velocity of Gas reccivod from GHT is given byj 


M. 


LG 


Gn2 


m: 


= [(5^) 


G 


1 + nl 




corresponding velocities are, ’^LB “ ^LB 


I ^ 

K ^ , 


and Vj^^ - 


K 


(B.22) 


Gas inflow rate = at ^^L ^L^ -^L “^1 ^’^LB "^LG^ 

dV^ V^ dP^ 

or, Pp, pT "d^ = ^1 ^^LB ^LG^ 

Jj 


hence. 


dP 


L 


[A^ (vj-p + ^jjQ.) ~ 


vr ‘-^l^'^LB 

iJ 


^I'l- 


(B.23) 
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and it can be shown that. 


d 



dPh 

“5t + ~Tr 




(B.24) 


The computer program LPSHUT executes the above formulation. 


N otations ; 


^1 




% 


Px 

Pi 


; area of cross-section at section i 
; diameter of pipe at section i 
; Mach number at seebion i 
: He-gas pressure 

; velocity of fluid at section i 
; acceleration due to gravity 
; length of pipe i 
; density of liquid poison 

; density of He gas in tank i; i = B,L or Gr. 





APPENDIX C 


DATA TEEATMBNT AND UNAVAILABILITY ESTIMATION 

G.l DATA TREATMENT: 

It has been emphasized before that failure data on 
reactor systems is either not available or is hi^ly sparse, 
same holds true for the data on basic component failure. 
Therefore jit becomes inevitable to collect failure data on 
basic components from other industries. Since components 
designed to perform similar function in different industries 
may have different designs, are manufactured by different 
companies and are exposed to different environment in applica- 
tion, it is natural to expect that failure data thus collected 
will exhibit large scatter. In such a situation it is not 
possible to assign a point estimate of failure rate for 
generic components and failure rate has to be treated as a 
random variable and a probability density function is assi^ed 
to this random variable. 

The treatment of data as random variables serves as a 
means to describe the uncertainity of the data. The range 
of random variable gives possible values that the random 
variable can take and probability distribution assigned 
gives the likelihood that the data value will actually be 
any one of the given values in this range. 
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For the present study failure data was obtained from 

WASH-1400 [22] and reference [23]. Reference [ 23 ] gives 

mean, upper bound and lower bound on the failure rate and 

it can be assumed that sufficient field data was available 

to allow such estimates. WASH-1400 reports 5 percentile and 
values of 

95 percentile / the field data and assessed median value by 
fitting lognormal distribution to the available data. The 
reasons put forward in support of lognormal distribution by 
the report can be summarized as; 

'Lognormal is a natural distribution for describing data which 
can vary by factors, it has an adeq.uate shape to represent 
field data, it is flexible, it is consistent with reliability 
and data properties and it is standardly employed distribution . 

It may be noted that the shape of distribution corres- 
ponding to lognormal i.e. a peak and skewness towards right, and 
the 5 and 95 percentile values can be treated as emperical 
infoimation. Furthermore, because of large variance in data 
(it is almost eq.ual to median value) it is not very meaningful 
to strive for an accurate location parameter estimate. It 
should instead be preferable to obtain a distribution giving 
lower variance than lognormal and based on same emperical 
information. Other distributions mentioned in literature 
are Gamma and Weibull [ 6 ]. Gamma has been used in bayesian 
estimation of reliability because it is conjugate to Poisson 
distribution and gives closed form posterior. Weibull, on the 



other hand, has the advantages of heing more flexible and 
having a closed form distribution function. Therefore, ” 
Weibull distribution was tried on data from WASH- 1400 and 
ref. 5 _ 9 ] and the one having .proper shape and lower variance 
among Weibull and lognormal were chosen. Results are 
tabulated in Table 0.2. 

0.2 UNAVAILABILITY ESTIMATION [5 

Unavailability is the probability that a system when 
used under stated conditions shall not operate satisfactorily 
over a given time interval. TOP ovent of a fault-tree 
defines the condition for unsatisfactory operation of the 
system in terms of hardware performance. The probability of 
TOP event, therefore, gives unavailability of the system. TOP 
event can be expressed as a Boolean algebra function of pri- 
mary evenbs. This function should be logically simplified 
to eliminate redundant events and to do so following basic 
properties and laws of Boolean algebra are used. 

Ide ntities ; 

1 . A + A = A 

2. A . A = A 

b. Distributive Laws; 


1. A(B+C) 

2. A+(B.C) 


(A.B) + (A.C) 
(A+B) . (A+C) 
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C, Laws of ATjsorption ; 

1. A + (A.B) = A 

2. A . (A.B) = A.B 

In case of complex fault trees mere algelraic simplifi- 
cation becomes tedious and one can use decision table method 
or 'Eamau^ graph method. The essential idea is to obtain 
all the minimal cut sets of the TOP event such that we can 
write, after simplification, TOP event as 

T = M2_ + M 2 + . .. + (C.l) 


where the minimal cut-set, is intersection of primary- 

events 


% = '^il ^i2 ^±3 


G. 

im 


( 0 . 2 ) 


and no M- is a subset of another M.. The minimal cutsets, also 
termed critical paths are important because they specify a 
■unique , failure mode' by which the TOP event can occur. Decom- 
position of TOP event into all possible critical paths is not 
essential if we are only interested in the TOP event failure 
probability, ■ However, identification of all possible critical 
paths becomes inevitable if Risk estimation is to be done where 
each failure mode will have different consequence. 

Once the TOP event is expressed as a simplified boolean 
function of primary events, the probability of the foimer can 
be related to that of later by use of basic operational l^ws 
to combine probability and given below; 
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a. UCCg|F; 

B oolean Expression : T = A+B 

Probability expression; 

P(T) = P(A) + P(B) - P(A.B) 

b . INTERSECTION ; 

Boolean expression ; T = A,.B 
Probability expression; 

P(T) = P(A).P(B/A), if A and B are dependent 
or P(T)= P(A).P(B) , if A and B are independent 

The rare event approximation is applicable when the 
intersection probability P(A.B) is much smaller than the 
individual probabilities, P(A) and P(B). If A and B are 
independent then P(A,B) = P(A).P(B), and the rare event 
approximation will be valid if cross product term P(A),P(B) 
is much smaller than P(A) and P(B). This will be the case when 
P(A) and P(B) are less than approximately 0.1 [ 5 ]. Whether 
the events are independent or dependent and regardless of the 
probabilities, the rare event approximation will always give 
a conservative estimate. The approximation in general is 
also quite accurate [ 5 3* 

Applying probability laws given above to TOP event 
expression of eqn. (C.l) we get 



P(T) = Z ?{%) - 2, Z, P(M.)P(MJ 

1=1 3=1 i=l ^ J 

+ Probability of all possible triple 
combinations 

If rare event approximation is applied then 

P(I) G. 2 P(Mi) (0.3) 

If primary events are independent, 

m 

E(Ml) = 2 P(Oifc) (0.4) 

iC=l 

C,3 UM7AIIABI1ITY CONTRIBUTIOITS [4 ]; 

Component unavailability is defined as the probability 
of being in a failed state when required. The particular 
contributions to component unavailability that arise in 
analyses are broken as below; 

C.3.1 PAILUPE UPON DEMAED; 

It comprises of failure of a component to start e.g. , 
a pump failing to starts, and failure of demand itself e.g., 
failure of a control signal to be transmitted to the component. 
The demand can be automatically initiated or manually initiated 
by the operator. In the later case it is failure of operator, - 
i.e. , a human error of omission. The failure upon demand 
contributions Q are directly given by the demand data in 
the data base 

Q = 

where is unavailability per demand. 



C.3.2 UlREPAIRED FAILURE COETRIBUTIORS ; 


Tho unavailability contribution for unrepaired failures 
is given by, 

Q =A? 

where ^ is the failure rate and IT the average fault 
duration time for which the failure can exist after detection. 
If component is not monitored but periodically tested then 
2" is one-half of the test interval, 

C.3.3 test OUTAGES; 

If the component is disabled in on-line periodic 
testing then the unavailability contribution is, 

Q = ^ 

tj 

where , tj^ is the average te,jt downtime 

and t^ is tho average interval between tests. 

If component is not disabled during testing or there 
is an override backup then Q is negligible. 

WASH- 1400 recommends; trp = 1 month 

tjj = 0.72 hr., 

(a lognormal average of 75 min minimxim and a 2 hr. maximum.) 



c . 3 . 4 MIUTENANC E OUTA&ES ; 


Scheduled maintenance outages contribute to unavaila- 
bility in a way similar to test outages. Eor unscheduled 
maintenance i.e. done when required;, the unavailability is 
given by, 

Q = 

t 

where t is the average time of the maintenance distribution. 
Above formula can be rewritten as, 


— JL , 

720 (hrs/mo. ) 

where tjj is downtime in hrs , and 

f = ~ (months”^) 

t 

where t is average time in months between maintenance act. 
'';JASH-1400 in. general used ; 

f = 0.22, which corresponds to a 4.5 months average frequency 
interval (associated with 90 percent range of 1 month and 
12 months). 

tp = 7 hrs. (associated with a range of 0.5 hrs. to 

24 hrs. maximum) 

The range in downtimes incorporates maintenance 
error and inefficiency contributions. 
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C.3.5 total ITJAVAILABILITY; 

The total unavailahility of the system will be the 
sum of unavailability contributions discussed above. In 
general unavailability has the form 


Q = 


MDT 


MDT + fflBM 


where MDT : mean down time 

MTBM; mean time between maintenance 

Pig. 0.5 illustrates a t 3 rpical duty cycle. 

If X is operational failure rate 

is repair failure rate 

then MDT = ~ 

Ar 

1 

MTBM = ~ for unscheduled maintenance 

A 


hence , 


Q = 


1 






eq 


MDT 


hence, 


A 


A 


eq 


A +Ay 


A 


eq 


If » a-s is the case with nuclear components 

A , f the operational failure rate and no improvement 


is expected from unscheduled maintenance, obviously because 
of low 35 operational failure rate the frSquoncy of unscheduled 
maintenance will be low. 
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C.4 CUI'TCJLATIVE FAILURE PROBABILITY; 

Th.G cumulative failure probability or simply failure 
probability, is the probability that the component ■will not 
operate successfully for a required time period t. The 
component is supposed to have started successfully and the 
failure probability refers to operational mode. 

For a single component, the failure probability is 
given by, 

P = 1 - - At 

where the approximation P At is used since it is 

valid to Several significant figures for probabilities less 
than 0.1. 

For n repairable components, in parallel, each ha'ving 
an unavailability of and operational failure rate Aj[_» 
the failure probability is given by 



For more complicated cases basic laws of probability 
can be extended [12, 5 ]. 

0.5 COMMON MODE FAILURE AND QUANTIFICATION TECHNIQUE; 

Common mode failure (cmf) are defined as multiple 
failures which occur because of a sir^le initiating or 
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influencing cause. Instead of triggering simultaneous 
failures, which is the extreme case, the common cause may 
produce a less severe, hut common, degradation of the compo- 
nents. In such a case components may not fail simultaneously 
but their joint pio lability of failure can be greatly 
increased [151]. In brie:^ any common property of the 
components introduces dependencies that will lead to emfs^o]. 
The common causes can be classified into following [51 

A. Design defects 

B. Pabrication, fenufactiiring and Quality Control 
varia ti ons 

C. Test, Smaintenanc e, and repair errors 

D. Human errors 

E. Environmental variations (contamination. 
Temperature, etc,) 

E, Failure or degradation due to an initiating failure 

G-. External Initiations of failure 

The contribution of common mode failure can be 
quantified as a cmf failure rate In most of the 

practical cases smaller than the chance failure of a 

component and can be neglected. However, for a redundant 
system A is greatly reduced but /^om constant and 

becomes significant. Greater the redundancy more dominant is 
the effect of cmf .Apostolakfs [50] has shown that for the case 
where is smaller than system chance failure rate, there 
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exists am initial period T for which, emf dominates. The 

hi^^er the degree of redimdancy greater is the time T, and 

craf dominates chance failure hjr order of magnitude. For 

the case of redundant components being inspected every T- 

be ^ 

"^i effort should /directed towards decreasing the 

potential of a cmf, since it is the dominant cause of failure. 
Conversely, for a given Tj^ there is a maximum degree of 
redundancy which is effective in reducing the probability 
of chance failures and further addition of redundant elements 
is unnecessary because chance failures are no more important. 
Before a consideration of cmf is included it has to be 
ascertained whether the contribution of cmf is really meaning- 
ful. Apostdakis [^O] has suggested following upper bounds 
below which cmf contribution can be treated negligible. 

Table C.l: Upper bound to for m-out of n systems 

(n repairmen) 


LOGIC m/n 

p ~ 0 

ti>A 

1/2 

(6/7) A 

2^/p 

1/3 

(66/85) A 


2/3 

( 30 / 19 ) A 

6A^/p 

1/4 

(60/85) A 

4A'^/p^ 

2/4 

( 156 / 115 ) A 


3/4 

(84/37) A 

12/^/p 


whore is repair rate. 



Tho problem now addressed is quantification of cmf. 

It should bo observed that in general there will be adjnost 
no data to permit realistic trea^tment of emf contribution. 

In such a case it is usual to compute an upper bound tiiJEmgh 
though this has the disadvantage of being highly conserva- 
tive. 

Consider joint failure AB of two failures A and B. 
Whether A and B are independent or dependent, 

P(AB) ^P(A), and P(AB) ^ P(B) 

therefore, the best upperbound can be taken as 

P(AB) ^ Min [P(A), P(B)] 

Here, P(AB) can represent both random failure and cmf and 
the equation therefore gives conservative estimate. If 
error spread of probabilities is to be incorporated then 
P(A) and P(B) are replaced by their respective upper 
bounds . 

For a general combination consisting of n failures: 
Single Failure Bound : 

P(A^ A2 . . ^ Min [P(Aj^), P(A2 )j ...P(Aj^)] 

Double Failure Bound : 

P(AnAo...A^) <MII [Probabilities of all double 
^ combinations] 
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Triple Failure Bound ; 

P(A 2 _A 2 . * .Aj^) MIF [Probabilities of all triple 

combinations] 

* 

so on. 

The various upper bounds are therefore obtained by computing 
the probabilities of smaller combinations contained in the 
original, large combination. The upper bounds are obtained 
not only for minimum, but for any smaller combination 
probability •th.at is computed. 

In (determining the range for a cmf probabilily an 
upper bound and a lower bound are required to define the 
range. The upper bound is obtained as has been mentioned 
above. lower bound is simply taken as the joint probability 
of the two events considering them independent. These two 
ranges, in consistency with the data treatment so far, are 
treated as 5 and 95 percentile values and an adequate 
distribution is fitted (Weibull or Lognormal) to obtain 
lowest variance. The location parameter estimate is chosen 
as best estimate of cmf probability [4 ]. 
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Table 0.2' Failure Rate Data of Basic Components. 

Unit: failures /lO^ hrs. 


Component description Fi®l<3 Data Weibull Lognormal 

Parameters Parameters 



.05 .95 


a 

m 

or 

l.Ball bearing 
(heavy duty; 

0.072 

3.53 

1.045 

1.2349 

0.505 

1.179 

2 « Ball bearing 
(light duty) 

0.035 

1.72 

1.044 

0.6 

0.244 

1.18 

3. Welds (Pastners) 

lO"'*' 

0.1 

0.588 

0.0156 

3x10“^ 

• 2.0 

4 * Elbows , Flanges , 
Expansion joints 

10"*^ 

10.0 

0.588 

1.56 

0.318 

2.09 

5. Caskets 

0.1 

100^0 

0.588 

15.6 

3.176 

2.09 

6, G-ears (general) 

0.0118 

0.2 

1.437 

0.132 

0.0486 

0.86 

7. Magnetic clutch 

4.1 

41.0 

1.766 

41.0 

13.18 

0.697 

8. Pipe (rupture 
dia 3") 

3x10“^ 

3x10“^ 

0.588 

3x10“^ 

9.45x10' 

2.09 

9. Pressure gauges 

1.35 

5.77 

2.799 

1.544 

2.79 

0.443 

10. Pressure sensors 

1.7 

7.6 

2.72 

4.497 

3.59 

0.453 

11. Low Pressure Tank 

0.1 

0.324 

3.46 

0.2 

0.180 

0.356 

12. High Pressure Tank 0,044 

13. Instrimaent channels 

0.144 

3.43 

0.089 

0.0797 

0.36 

a. failure to 
operate 

0.1 

10.0 

0.883 

1.5147 

3.893 

1.39 

b, shift in cali- 
bration 

3.0 ' 

500.0 

0.883 

45.4 

30.0 

1.39 

14, Springs (heavily 
stressed) 

9.9x10“^ 

0.1 

0.588 

0.0156 

3.15x10"’^ 

2.096 

15. Springs (lightly 
stressed) 

8. 9310"^ 

0.89 

1.766 

0.48 

0.28 

0.698 

16, Valves (leak) 

7.54x10"'^ 

6.78xlCr 1.851 

. 0.0375 

0.0226 

0.666 

17. Valves (plugged) 

2. 26 

20.34 

1.851 

11.25 

6.78 

0.666 



